Raspberry Pi running Active Directory, using Samba on FreeBSD.

DNS Infrastructure

Setting Up the BIND Master Server

We're building an Active Directory server from Samba running on FreeBSD, free server software on a free operating system. Our first step is to set up the needed DNS infrastructure on an existing BIND master (or primary) DNS server. Then the Samba-based Active Directory can be a slave (or secondary) DNS server for those same zones. Jump back to the start for an overview of the project.

How to set up the needed DNS records

I want to name the new system freebsd.example.com, and I plan to use corp for the Windows domain. The server will have IPv4 address 10.1.1.235. I also want some aliases for the name — raspbsd and dc — so I will set up CNAME records.

I added the following to /var/named/named.example.com on the existing DNS master server. This is for the corp.example.com zone, so add that to all the hostnames: freebsd.corp.example.com, _ldap._tcp.corp.example.com, and so on. Change the IP addresses and names as needed:

[... lines deleted ...]
freebsd		IN	A	10.1.1.235
freebsd		IN	AAAA	fc00::ba27:ebff:fe41:b9ae
dc		IN	CNAME	freebsd
raspbsd		IN	CNAME	freebsd
;;; See https://technet.microsoft.com/en-us/library/dd316373.aspx
;;; _service._protocol.DNSdomain  IN	SRV priority weight port target
_ldap._tcp	IN	SRV	0 0 389 freebsd
_ldap._udp	IN	SRV	0 0 389 freebsd
_kerberos._tcp	IN	SRV	0 0  88 freebsd
_kerberos._udp	IN	SRV	0 0  88 freebsd
_kpasswd._tcp	IN	SRV	0 0 464 freebsd
_kpasswd._udp	IN	SRV	0 0 464 freebsd
; Need kerberos-adm if we will run kadmind to support kadmin remotely.
; Not needed if we will only do local administration:  kadmin -l
; And, administration will be through samba-tool.
_kerberos-adm._ucp	IN	SRV	0 0 749 freebsd
_kerberos-adm._tcp	IN	SRV	0 0 749 freebsd
; More, per:
; https://blogs.msdn.microsoft.com/servergeeks/2014/07/12/dns-records-that-are-required-for-proper-functionality-of-active-directory/
; It's unclear to me whether I need the following records.
; These may be needed only to support older Windows clients.
_ldap._tcp.pdc._msdcs	IN	SRV	0 0 389 freebsd
_ldap._tcp.gc._msdcs	IN	SRV	0 0 389 freebsd
_ldap._tcp.dc._msdcs	IN	SRV	0 0 389 freebsd
gc._msdcs		IN	A	10.1.1.235
[... lines deleted ...]
Configuring BIND to Support Active Directory SRV Resource Records

Notice that the SRV records need three numbers: the priority, the weight, and the UDP or TCP port number. Clients will try to contact one of the servers with the lowest priority first. The additional factor of weight allows you to do load balancing across those of identical priority. It seems reasonable to leave these both zero until you find that you need to do prioritization and load balancing.

I also needed the PTR records for reverse lookups. In the file for the 10.in-addr.arpa zone I added this:

235.1.1	IN	PTR	freebsd.example.com. 

And in the 0.0.0.0.0.0.0.0.0.0.0.0.0.0.c.f.ip6.arpa zone file:

e.a.9.b.1.4.e.f.f.f.b.e.7.2.a.b		IN	PTR	freebsd.example.com. 

Run tail -f /var/log/messages in one window while you signal your named process to re-read its configuration. Make sure it reloads without error.

This Microsoft TechNet article dates back to Windows 2000 (!!) but it has an introductory explanation of integrating Active Directory and BIND.

The next step...

The next step is to install FreeBSD on a Raspberry Pi.